Re: to snat or to dnat .. that is the question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



yes, my firewall is the default route on all internal boxes

----- Original Message ----- 
From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx>
To: "Peter Marshall" <peter.marshall@xxxxxxxxx>; "netfilter"
<netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, June 01, 2004 11:42 AM
Subject: RE: to snat or to dnat .. that is the question


If the box 192.168.0.20 does not have the firewall's IP as its default
route, then it will not work correctly (DNAT), I am not sure about SNAT.


-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Marshall
Sent: Tuesday, June 01, 2004 10:30 AM
To: netfilter
Subject: to snat or to dnat .. that is the question

Hi again.

I am at a bit of a quandary, and am not sure what to do.

Let the external interface on my firewall be 100.100.100.100
I have an internal box; 192.168.0.20 that needs to connect to an
external
box 200.200.200.200 on port 2000.

I want the internal box to connect to hit my firewall on a different
port ..
say 15000

so basically

start: .... -s 192.168.0.20 -d 200.200.200.200 --dport 15000
after firewall -s 100.100.100.100 -d 200.200.200.200 --dport 2000

How can I do this ?

I started out with:

$IPT -t nat -A POSTROUTING -d 200.200.200.200 --dport 15000 -p tcp -i
eth0 \
       -j SNAT --to-source 100.100.100.100

But this does not change the destination port (obviously). I thought
about
doing the following

$IPT -t nat -A PREROUTING -d 100.100.100.100 --dport 15000 -p tcp -i
eth0 \
         -j DNAT --to-destination 200.200.200.200 --dport 2000

However, I don't think that this will change my source address.  Also,
will
this even forwarded the packets ?  They would be coming on the input
chain
would they not ?


Thank you for the help.
Peter Marshall


Peter Marshall, BCS
Network Administrator, CARIS
115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Phone:  (506) 458-8533 (Reception)








[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux